This invention relates to Voice-over-Internet-Protocol (VoIP) software, and more particularly to testing and selecting communication methods through firewalls.
Internet-enabled communication includes electronic mail, web browsing, instant messaging, and video and audio streaming. Using the Internet to complete telephone calls is possible using voice-over-Internet-Protocol (VoIP) technology. Video messages may also be exchanged using enhancements to VoIP technology.
To protect local computers and networks from unauthorized use or even outright attack, various security measures can be taken. A barrier between a local network and the Internet is often employed. This barrier is known as a firewall since it protects internal networks from the ravages of the open Internet.
Firewall is a generic term that describes an array of different technologies for securing computer networks. Some common Firewall technologies are Packet Filters, Proxy Servers, Network Address Translation, Port Address Translation and Application Protocol Filtering. Firewalls can be implemented in routers, special firewall appliances, and bastion hosts at the connection point of two or more computer networks. Personal firewalls are a software application running on a personal computer.
Firewalls can operate on different levels of the network. FIG. 1 is a reference diagram for the Open Systems Interconnection (OSI) network model. Packets passing through a firewall can be filtered by examining their IP addresses, TCP ports, protocols, states, or other header criteria at network layer 3 or transport layer 4. These are known as packet-filtering firewalls.
Dynamic or stateful packet filters can operate on most of the layers. Only specifically-configured traffic is allowed through these more-restrictive firewalls, such as web-browser traffic that uses Transport-Control-Protocol (TCP) on port 80. Some firewalls check that standard hyper-text transfer protocol (HTTP) or secure-sockets layer (SSL) protocols are being followed.
All traffic from outside the firewall can be blocked except when a connection is opened from within the firewall. A temporary return path, opening, or window is created through the firewall for each connection initiated from the local network within the firewall. This window closes when the connection is closed.
For User Datagram Protocol (UDP), the temporary return path may be closed when no traffic has flowed through the Dynamic Packet Filter for a configurable time period. Some firewalls allow traffic flowing in either direction to reset the timer, while others allow only outbound packets to reset the timer.
Proxy servers can operate on layers 3, 4, or application layer 7. Clients behind the firewall connect to the proxy server, which then makes another connection to the final server. Application protocol filtering can also operate on layer 7. Presentation layer 6, and session layer 5 are between the sockets of layer 7 and the TCP connections of layer 4. Data link layer 2 encapsulates the data into the actual packets or frames transmitted over the physical layer 1.
Firewalls can interfere with some Internet applications, even preventing their use across firewalls. For example, VoIP applications can be blocked by firewalls. FIG. 2 illustrates how a firewall can block incoming UDP packets for a VoIP application. Personal computer PC 10 is protected by firewall 14, while server or PC 12 is directly connected to Internet 16.
Voice call applications prefer to use the more bandwidth-efficient UDP rather than TCP to stream audio. Separate ports can be used for each direction of the audio stream. For example, audio from the user at PC 10 can be sent over Internet 16 to port 5401 of PC 12 using the UDP protocol. Datagrams can pass through firewall 14 since they originate from within (inside) firewall 14.
The reverse-direction audio stream is sent from PC 12 to a different port 5885 of PC 10. However, when PC 12 attempts to stream audio back to PC 10, firewall 14 blocks the UDP datagrams. Firewall 14 sees these UDP datagrams as coming from Internet 16 without a request from within PC 10 the firewall. Firewall 14 blocks these UDP datagrams, assuming that they are unauthorized and possibly an attack on the local network.
While some firewalls such as personal firewalls can be configured to allow the incoming packets to enter from the outside Internet, most firewalls cannot be configured by ordinary users. While some standard-application traffic may be able to pass through firewalls, such as web traffic using TCP to port 80, other kinds of traffic such as UDP packets and for other arbitrary ports is often unconditionally blocked.
The parent application, Null-Packet Transmission from Inside a Firewall to Open a Communication Window for an Outside Transmitter, U.S. Ser. No. 09/682,084, filed Jul. 18, 2001, disclosed using null packets to open a window in a restrictive firewall that otherwise blocked incoming UDP packets. Another parent application Firewall-Tolerant Voice-Over-Internet-Protocol (VoIP) Emulating SSL or HTTP Sessions Embedding Voice Data in Cookies, U.S. Ser. No. 10/248,762, filed Feb. 14, 2002, disclosed a voice-proxy that forwarded VoIP voice data using HTTP or SSL messages.
A VoIP application is desired that can test and determine how restrictive any intervening firewall is. The VoIP application on the client or at a server can then select the most efficient communication method that can still pass through the firewall. A VoIP system that can test and select from among several different communication methods is desirable.